From 4a8ca1017f7ecd04375a7bfff4eaf254c030fd16 Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Dec 17 2008 16:59:30 +0000 Subject: fix missing read-only access checks, fixes CVE-2008-5086 daniel --- diff --git a/libvirt-0.5.1-read-only-checks.patch b/libvirt-0.5.1-read-only-checks.patch new file mode 100644 index 0000000..45bf34f --- /dev/null +++ b/libvirt-0.5.1-read-only-checks.patch @@ -0,0 +1,152 @@ +diff --git a/src/libvirt.c b/src/libvirt.c +--- a/src/libvirt.c ++++ b/src/libvirt.c +@@ -2296,6 +2296,16 @@ virDomainMigrate (virDomainPtr domain, + conn = domain->conn; /* Source connection. */ + if (!VIR_IS_CONNECT (dconn)) { + virLibConnError (conn, VIR_ERR_INVALID_CONN, __FUNCTION__); ++ return NULL; ++ } ++ ++ if (domain->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ if (dconn->flags & VIR_CONNECT_RO) { ++ /* NB, delibrately report error against source object, not dest here */ ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); + return NULL; + } + +@@ -2426,6 +2436,11 @@ virDomainMigratePrepare (virConnectPtr d + return -1; + } + ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return -1; ++ } ++ + if (dconn->driver->domainMigratePrepare) + return dconn->driver->domainMigratePrepare (dconn, cookie, cookielen, + uri_in, uri_out, +@@ -2457,6 +2472,11 @@ virDomainMigratePerform (virDomainPtr do + } + conn = domain->conn; + ++ if (domain->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return -1; ++ } ++ + if (conn->driver->domainMigratePerform) + return conn->driver->domainMigratePerform (domain, cookie, cookielen, + uri, +@@ -2482,6 +2502,11 @@ virDomainMigrateFinish (virConnectPtr dc + + if (!VIR_IS_CONNECT (dconn)) { + virLibConnError (NULL, VIR_ERR_INVALID_CONN, __FUNCTION__); ++ return NULL; ++ } ++ ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); + return NULL; + } + +@@ -2517,6 +2542,11 @@ virDomainMigratePrepare2 (virConnectPtr + return -1; + } + ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return -1; ++ } ++ + if (dconn->driver->domainMigratePrepare2) + return dconn->driver->domainMigratePrepare2 (dconn, cookie, cookielen, + uri_in, uri_out, +@@ -2547,6 +2577,11 @@ virDomainMigrateFinish2 (virConnectPtr d + return NULL; + } + ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ + if (dconn->driver->domainMigrateFinish2) + return dconn->driver->domainMigrateFinish2 (dconn, dname, + cookie, cookielen, +@@ -2905,6 +2940,11 @@ virDomainBlockPeek (virDomainPtr dom, + } + conn = dom->conn; + ++ if (dom->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + if (!path) { + virLibDomainError (dom, VIR_ERR_INVALID_ARG, + _("path is NULL")); +@@ -2980,6 +3020,11 @@ virDomainMemoryPeek (virDomainPtr dom, + } + conn = dom->conn; + ++ if (dom->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + /* Flags must be VIR_MEMORY_VIRTUAL at the moment. + * + * Note on access to physical memory: A VIR_MEMORY_PHYSICAL flag is +@@ -3246,6 +3291,11 @@ virDomainSetAutostart(virDomainPtr domai + } + + conn = domain->conn; ++ ++ if (domain->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } + + if (conn->driver->domainSetAutostart) + return conn->driver->domainSetAutostart (domain, autostart); +@@ -4197,6 +4247,11 @@ virNetworkSetAutostart(virNetworkPtr net + return (-1); + } + ++ if (network->conn->flags & VIR_CONNECT_RO) { ++ virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + conn = network->conn; + + if (conn->networkDriver && conn->networkDriver->networkSetAutostart) +@@ -4395,6 +4450,11 @@ virConnectFindStoragePoolSources(virConn + return NULL; + } + ++ if (conn->flags & VIR_CONNECT_RO) { ++ virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ + if (conn->storageDriver && conn->storageDriver->findPoolSources) + return conn->storageDriver->findPoolSources(conn, type, srcSpec, flags); + +@@ -5068,6 +5128,11 @@ virStoragePoolSetAutostart(virStoragePoo + return (-1); + } + ++ if (pool->conn->flags & VIR_CONNECT_RO) { ++ virLibStoragePoolError(pool, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + conn = pool->conn; + + if (conn->storageDriver && conn->storageDriver->poolSetAutostart) diff --git a/libvirt.spec b/libvirt.spec index ee650c3..3482ab9 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -35,11 +35,12 @@ Summary: Library providing a simple API virtualization Name: libvirt Version: 0.5.1 -Release: 1%{?dist}%{?extra_release} +Release: 2%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries Source: libvirt-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root +Patch0: libvirt-0.5.1-read-only-checks.patch URL: http://libvirt.org/ BuildRequires: python python-devel Requires: libxml2 @@ -163,6 +164,7 @@ of recent versions of Linux (and other OSes). %prep %setup -q +%patch0 -p1 %build %if ! %{with_xen} @@ -403,6 +405,9 @@ fi %endif %changelog +* Wed Dec 17 2008 Daniel Veillard - 0.5.1-2.fc11 +- fix missing read-only access checks, fixes CVE-2008-5086 + * Fri Dec 5 2008 Daniel Veillard - 0.5.1-1.fc11 - upstream release 0.5.1 - mostly bugfixes e.g #473071